- ABP Framework version: v8.0
- UI Type: Angular
- Database System: SQL Server,
- Tiered (for MVC) or Auth Server Separated (for Angular): https://neoauth-uat-test.dawaa24.com/
- Exception message and full stack trace:
- Steps to reproduce the issue:
i have an nginx acting as a proxy server and behind it there's an auth server (https://neoauth-uat-test.dawaa24.com/) hosted on IIS
i am requesting the endpoint https://neoauth-uat-test.dawaa24.com/connect/token to get the token and it's responding to me with 200 Status Code and give me access token and refresh token
those two tokens should be saved in the Auth Database
**The Problem is that it doesn't save any **
upon review the Auth logs i see this error
2024-05-05 14:23:46.556 +04:00 [ERR] An exception was thrown while deserializing the token. Microsoft.AspNetCore.Antiforgery.AntiforgeryValidationException: The antiforgery token could not be decrypted. ---> System.Security.Cryptography.CryptographicException: The key {9f5dc130-2567-47b5-93b6-328773960f1d} was not found in the key ring. For more information go to https://aka.ms/aspnet/dataprotectionwarning at Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingBasedDataProtector.UnprotectCore(Byte[] protectedData, Boolean allowOperationsOnRevokedKeys, UnprotectStatus& status) at Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingBasedDataProtector.Unprotect(Byte[] protectedData) at Microsoft.AspNetCore.Antiforgery.DefaultAntiforgeryTokenSerializer.Deserialize(String serializedToken) --- End of inner exception stack trace --- at Microsoft.AspNetCore.Antiforgery.DefaultAntiforgeryTokenSerializer.Deserialize(String serializedToken) at Microsoft.AspNetCore.Antiforgery.DefaultAntiforgery.GetCookieTokenDoesNotThrow(HttpContext httpContext)
I don't know if it's related or not but how can i solve this issue
I followed the Microsoft docs for configuring the Nginx for dot net from this link Configure Nginx
I completely lost and spend two days troubleshooting without getting anywhere
if someone can help with this i would be very grateful
Additional Note: https://neoauth-uat-test.dawaa24.com/ from the Web UI i can login to the Auth Server Like in the Picture
15 Answer(s)
-
0
Hi,
You can check this: https://stackoverflow.com/questions/63316682/the-key-was-not-found-in-the-key-ring-unable-to-validate-token
I guess the cookies are not being forwarded correctly
-
0
Hi,
You can check this: https://stackoverflow.com/questions/63316682/the-key-was-not-found-in-the-key-ring-unable-to-validate-token
I guess the cookies are not being forwarded correctly
Hi @liangshiwei
Thanks for taking the time to answer
I've reviewed the link you provided, i already have the Data Protection Enabled in my application some says that you need to turn on "Load User Profile" on the IIS App Pool Level, I have done this Also but still not working
I inspected the Cookies that are being sent and received from a working Auth and it's the same as this one
======== Request and Response on the Current Auth Server ========
--header 'CONTENT-TYPE: application/x-www-form-urlencoded' \ --header 'Cookie: .AspNetCore.Antiforgery.7_7oYfNDO6o=CfDJ8LtEv6zYqhpBq8QoCOZvwRj3hMqmMyh66vLfrMAVYCv148iHN5tPU_bzT2X6HCUVVi-JUTtug8b1qj_lSkd1IjjzyfSTDqjdY_q8mlehq8dNo9W59nIjd_yZF-BhDhL3n7V3aQvnZviKIhGNlk4oXsc; XSRF-TOKEN=CfDJ8LtEv6zYqhpBq8QoCOZvwRjQKVLtds_flAMclBCWYxLMIwMvzs_ULBhOFK9G39SIsqa8Ro6psCiApU2jyQBkd-NzwEbEOPis-lq3vdDsjfcJkIJWOWJLZDV7TXjUDd1f-wHym2b5E13Y70-othvbhFw' \ --data-urlencode 'client_id=Dawaa24Neo_App' \ --data-urlencode 'grant_type=password' \ --data-urlencode 'username=admin' \ --data-urlencode 'password=********' \ --data-urlencode 'scope=offline_access Dawaa24Neo SharedAuth'`
Response:
{ "access_token": "eyJhbGciOiJSUzI1NiIsImtpZCI6IXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX", "token_type": "Bearer", "expires_in": 3600, "refresh_token": "eyJhbGciOiJSU0EtT0FFUCIsImVuYyI6IkEyNTZDXXXXXXXXXXXXXXXXXXXXXXXXXXXX" }
and it's not being saved in the Database DB OpenIddictTokens table counts after response is the same
======== Screenshot from a working Local Auth Server ========
`curl --location --request POST 'https://dawaa24neoauthqa.nh.local/connect/token' \ --header 'CONTENT-TYPE: application/x-www-form-urlencoded' \ --data-urlencode 'client_id=Dawaa24Neo_App' \ --data-urlencode 'grant_type=password' \ --data-urlencode 'username=admin' \ --data-urlencode 'password=**********' \ --data-urlencode 'scope=offline_access Dawaa24Neo SharedAuth'`
Response
{ "access_token": "eyJhbGciOiJSUzI1NiIsImtpXXXXXXXXXXXXXXXXXx", "token_type": "Bearer", "expires_in": 3600, "refresh_token": "eyJhbGciOiJSU0EtT0FFUCIsImVuYyI6IkEyNTZDQkMtSFM1MTIiLCXXXXXXXXXXXXXXXXXXXXXXXXXXXx" }
and it's saved correctly in the DB
All headers seems to be there what am i missing here ?
-
0
Hi,
You can check this: https://stackoverflow.com/questions/63316682/the-key-was-not-found-in-the-key-ring-unable-to-validate-token
I guess the cookies are not being forwarded correctly
can you please replicate the issue from your side if you have a running auth server, you just need to put an nginx infront of it
here is my nginx config
============ upstream backend { # This is my backend Server IP # which has the Auth Server Running # You can put either IP or FQDN server 10.X.X.X; }
server{ listen 80; listen 443 ssl; server_name neoauth-uat-test.dawaa24.com; ssl_certificate /etc/nginx/fullchain.pem; ssl_certificate_key /etc/nginx/cert.key; location / { proxy_pass http://backend; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade; proxy_set_header Host $http_host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header Cookie $http_cookie; } }
===========
-
0
Ok,
I will check it.
-
0
-
0
Not working Also
I have recorded a video for the issue (30 second) https://drive.google.com/file/d/1x9ZBnr3B5QQdOMbN3C7LTzWdr20X_71f/view?usp=sharing
Please check
-
0
If you use this access_token to access the APIs, will it work?
-
0
Could you try change the logger level to
debug
and share the full logs? thanks. -
0
If you use this access_token to access the APIs, will it work?
yes it will work
our Mobile Dev Team are currently using the token to access the Application API and it's working
-
0
Could you try change the logger level to
debug
and share the full logs? thanks.Sorry for late response, took me some time to get the Debug working
i couldn't paste the logs here directly so i mailed them to you at shiwei.liang@volosoft.com,
Please let me know if you got them Email Subject: Debug Info
-
0
-
0
-
0
Hi,
Ok, but no error details and stack are logged. sorry, I didn't find anything.
You can check this to get the details for the exception. https://github.com/dotnet/efcore/issues/33319#issuecomment-2030777176
-
0
Hi,
Ok, but no error details and stack are logged. sorry, I didn't find anything.
You can check this to get the details for the exception. https://github.com/dotnet/efcore/issues/33319#issuecomment-2030777176
Hi,
Ok, I will ask the DevTeam To implement this and get back to you,
I am a Deployment Guy, it seems like a complex task for me,
but i just wondering if someone was able to get the Auth Server Working behind Nginx while the Nginx Do the SSL Offloading and the SSL Stuff,
because if that's the Case then we need a Another Static IP (Public) DNATed to the Auth Server directly, or run it as HTTPS on non standard port like 8443 (which is not a good practice)
Please keep the Ticket open, maybe someone faced the same issue or have a similar scenario and can help me solve it
-
0
Ok.